European comms bodies set up standards group, call for vigilance on contact-tracing apps
In response to the coronavirus pandemic, the European Telecommunications Standards Institute (ETSI) has established a new group to work on a standardisation framework that will enable developers to build interoperable mobile apps for proximity detection.
Yet as it was doing so, the Europe Technology Policy Committee of the Association for Computing Machinery (ACM) called for transparency, interoperability, privacy and scrutiny in Covid-19 contact-tracing.
ETSI’s new Industry Specification Group Europe for Privacy-Preserving Pandemic Protection (ISG E4P) will establish a standardisation framework to enable the development of interoperable systems to automatically trace and inform potentially infected users in addition to manual notification methods, while preserving users’ privacy and complying with relevant data protection regulations.
ETSI believes the most effective strategy for curbing the spread of Covid-19 is to break transmission chains by informing people when they have been in close contact with other individuals who have tested positive for the virus. As well as accelerating the development of smartphone-based apps to help with the essential breaking of transmission chains, ETSI believes a pan-European standardisation framework should enable interoperability between different proximity tracing and alert systems as and when they are officially released.
But the organisation believes that a primary challenge in these efforts will be collecting, processing and acting on information about citizens’ proximity at scale, potentially tens or hundreds of millions of people. This must also be achieved without compromising users’ anonymity and privacy, and while safeguarding them against exposure to potential cyber attacks.
“By their nature, smartphones are highly personal devices, carrying large amounts of data about individuals,” said ETSI director-general Luis Jorge Romero. “In ETSI, we are committed to support an international development community with a robust standardisation framework that allows rapid, accurate and reliable solutions while winning the trust of the population at large.”
The new ETSI E4P group will consider the proposed European Commission recommendation on a common European Union toolbox for the use of technology and data to combat and exit from the Covid-19 crisis, in particular for mobile applications and the use of anonymised mobility data. It will also reflect the EC Communication on Guidance on Apps supporting the fight against Covid-19 in relation to data protection. The group’s activities will also draw on ETSI’s expertise in areas such as cyber security, e-health and emergency communications.
The group already comprises more than 10 organisations drawn from global telco operators, suppliers and research centres from various activity sectors. ETSI anticipates “many more” significant players joining the group soon.
Yet as ETSI was assembling the group, the ACM’s Europe Technology Policy Committee (Europe TPC) was releasing detailed principles and practices for the development and deployment of contact-tracing technology intended to track and arrest the spread of Covid-19. The committee’s principles and practices address five critical areas of policy: technical architecture, development transparency, expert oversight, legal safeguards and public engagement.
Key recommendations include making all contact-tracing apps entirely voluntary for members of the public to use (individual opt-in); internationally interoperable; open source and developed using a transparent process; subject to oversight by multidisciplinary committees of experts; strictly limited in their use and data collection by clear legal safeguards; and available for formal comment by the public and civil society.
In a statement announcing the essential principles and practices for Covid-19 contact-tracing apps, the committee called on governments that choose to adopt such systems “to use only those which, by technical and legal design, respect and protect the rights of all individuals; safeguard personal data and privacy to the highest degree technically possible; and are subject to scrutiny by the scientific community and civil society before, during and after deployment”.